The U.S. traffic safety agency has firmly nudged carmakers into tightening their standards for cybersecurity. And if the nudge fails, then enforceable rules will surely follow.
For now, though, the National Highway Transportation Safety Administration is calling its list of best practices mere guidelines. NHTSA published them last Monday, exactly three months after two researchers showed what’s at stake by remotely commandeering a Jeep Cherokee driving on a highway. The researchers described their cyberattack at a conference held in August. And they talked about other vulnerabilities last week.
The main theme of the guidelines is that auto companies should make cybersecurity a priority. That would mean sharing information with rivals, for instance by logging and relaying the details of an attack through “seamless and direct communication channels,” so that other companies can devise countermeasures.
It’s not easy to force such close cooperation: Technology is now the most competitive aspect of the auto business.
NHTSA also wants companies to give outside developers less access to engine control units (ECUs). If a developer needs such access to debug a system, then the developer should have an interface that allows tinkering only with the relevant system.
As cars begin to connect, first with the infrastructure and then with each other, the risk increases that any attack will snowball. NHTSA wants all communications with the outside world—like the GPS navigation system—to run along channels that bypass ECUs.
One may wonder, though, exactly what scenario keeps NHTSA cybersecurity experts up at night. Today, if bad guys want to attack a car from a distance, they can (and do) use remotely controlled IEDs. So maybe the real threat is not to our bodies but to our digital secrets: A connected car may lead criminals to our bank accounts. And, as Willie Sutton said, that’s where the money is.